Privacy Commissioner finds that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Joint investigation of TikTok Pte. Ltd.

How systemic delays, a backlog of overdue requests, and process errors led to UBC having the lowest rate of compliance.

NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Sample access request policy and checklist

Sample access request policy and checklist

In a number of reports issued by my office, we have recommended that the towns/villages/municipalities develop an operational policy regarding processing access to information requests. After a number of questions, it became clear that there didn’t seem to be a sample policy developed for small towns/villages/municipalities. Larger organizations have developed policies that are applicable to an organization that has many employees and probably legal staff. In fact, the policy that has been developed here was tailored from the City of Regina’s operational policy but for a smaller organization.

Anything that is labeled a “sample policy” should be treated as a starting point for drafting. In using this sample, one should feel free to delete language that isn’t applicable to their organization and add language that speaks specifically to them.

In The Local Authority Freedom of Information and Protection of Privacy Act, the “head” is the Mayor or Reeve in a town or village. It is a recommended practice to delegate the “head’s” responsibility to the administrator or city clerk.

Following the posting of the sample operational policy, we have had discussions with people about the need for an access request checklist. Something simple that the head, Reeve or administrators could follow when they receive an access request. So, we developed a sample checklist. Again, the checklist is a “sample” or “guide”. Public bodies should adapt it to their needs: add things and delete things. We have also updated the sample policy to refer to the checklist.

You can find the sample policy link here. The Sample Access Request and Checklist can be found attached at the end of the Sample Operational Policy, Access to Information.

 

Was this page helpful?

Statement from the Office of the Information and Privacy Commissioner on Access to Information During a Pandemic

The question has been raised: What about access requests during a pandemic?

In Saskatchewan, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA) are still in force. Citizens of Saskatchewan still have the right to request information or records. The public bodies still are required to accept and process access requests. If staff are assigned to pandemic or other essential issues, I understand. On the other hand, public bodies have designated FOI staff who may be now working from home, and the processing of access requests can continue. It might not be quite as efficient but it can and should continue. Public bodies when faced with a heavier than normal workload on access requests, can consider an extension but no public body should just refuse to process requests. If someone is working from home, they may need access to records which are at the office. Before stopping to work on the request, the public body should explore other ways of getting the record. It might be slower but the process can still move forward. Of course, with electronic records, working from home may still allow access to the necessary records.

When access requests focus on COVID-19, I would ask public bodies to accelerate those requests and give them priority. Citizens are naturally concerned and worried about the situation. Being transparent can reduce the anxiety that is in society right now. Getting an answer 30 or 60 days from now will not be of much assistance to the citizen.

When we thought this situation would take two weeks, suspension of service might have been reasonable. When isolation might occur for three months or longer, we need to have our information process systems operating, although maybe not quite as efficiently as before.

Finally, FOIP, LA FOIP and HIPA are still operative and requirements and timelines in legislation cannot be waived by me. My office can be flexible on timelines imposed by my office during reviews and investigations. For example, providing a submission, providing the record or answering questions. If you need an extension, please make those requests directly to the individual in my office working on that file with you.

I ask all public bodies to work with my office to keep the access to information system working.

Ronald J. Kruzeniski
Information and Privacy Commissioner

Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca

 

Was this page helpful?

Circle of Care

When my office investigates privacy breaches in the health care sector, at times, the defense, the explanation, or the reason given is that one believed they were in the “circle of care”. What is the circle of care? It certainly is not used in The Health Information Protection Act (HIPA). I did find one definition on the Canadian Medical Protective Association (CMPA) website in its “Glossary”:

Circle of care
The group of healthcare professionals providing care to a patient who need to know the patient’s personal health information to provide that care.

In using this definition, I note the words “who need to know… to provide that care”. That word “need” is most important.

HIPA, in section 23, deals with the need-to-know. If you define “circle of care” by referring to need-to-know, then one is really echoing the principle set out in section 23 of HIPA.

When people were talking to me, they referred to the “circle of care” as an etched in stone concept. I fear many have their own definition of “circle of care”. That creates problems if we all have our own definition. The CMPA definition is one that might create a common understanding of the term.

Dr. Karen Shaw has written an article in “DocTalk” and says this about “circle of care”:

Unfortunately, the use of terminology such as the concept of “circle of care” has led to some of this confusion. The term should be abandoned, as it infers that once a healthcare worker is in the circle of care that person is entitled to access all of the patient’s personal health information. This is incorrect.

There needs to be further discussion on the use and meaning of “circle of care” and how it works in light of section 23 of HIPA. My preference is that the term be abandoned.

Was this page helpful?

Records blowing in the wind – Saskatchewan needs a private-sector privacy law

Citizens in Regina had a difficult time navigating Victoria Avenue on Wednesday January 22, 2020. Boxes and papers that had spilled out of the back of a truck blocked the road. It was determined that the papers contained the personal information of citizens and that the owner of the papers was a private-sector business for which my office has no jurisdiction. The type of personal information involved included names, addresses, phone numbers, email addresses and financial transactions that individuals were involved in (e.g. payments received).

Unlike some other provinces in Canada, Saskatchewan does not have a private-sector privacy law. If it did, the Commissioner would have jurisdiction to investigate such a privacy breach. However, despite not having jurisdiction, my office still played an initial role in trying to determine where the records originated.

My office contacted the Office of the Privacy Commissioner of Canada to see if the federal Privacy Commissioner had jurisdiction. Federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), sets national standards for privacy practices in the private sector such as how private-sector businesses collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. It also applies to the personal information of employees of federally-regulated businesses such as banks, airlines and telecommunications companies.

The outcome of this privacy breach was that the federal office provided directions through our office to the City of Regina who had initially gathered records off the street. A local response by my office might have been more efficient. We are available to attend to the scene right away, respond to the media inquiries, be available to quickly interview witnesses, gather evidence and provide prompt guidance to both the City and the business that lost its records. In order for us to do that, we need a Saskatchewan private-sector privacy law similar to ones in British Columbia, Alberta and Quebec.

If this type of event occurs again in the future, some initial steps that can be taken are:

  1. Immediately secure the records – collect them and put them in a secure place (locked office or drawer);
  2. If it is possible to identify whom the records belong to, notify them; notify my office or the federal Privacy Commissioner’s office at 1-800-282-1376; and
  3. Keep the records securely stored, limit access and wait for further instructions from my office or the federal Privacy Commissioner’s office.

Was this page helpful?

Statement from the Office of the Information and Privacy Commissioner of Saskatchewan on eHealth Saskatchewan Potential Privacy Breach

The Office of the Information and Privacy Commissioner of Saskatchewan is investigating a cyberattack affecting eHealth and potentially health care information

The Office of the Information and Privacy Commissioner of Saskatchewan (IPC) is undertaking an investigation into a cyberattack on the computer systems of eHealth. eHealth is Saskatchewan’s main service provider of health information in the province.

The office is working closely with eHealth.

On January 10, 2020, eHealth reported a ransomware attack on their computer systems to the IPC. eHealth has confirmed publicly that it was subject to a ransomware attack.

The IPC investigation will, among other things, examine whether there was a breach of personal information or personal health information, and if so, the scope of the breach, the circumstances leading to it, and what, if any, measures eHealth could have taken to prevent and contain the breach. My office will also investigate ways eHealth can help ensure the future security of personal health information and avoid further attacks.

If anyone has any questions, they can contact eHealth at privacyandaccess@eHealthSask.ca  or you can Phone: 1-855-eHS-LINK (347-5465)

Alternatively, persons who have questions or wish to file a complaint can contact my office at 306-787-0488 or 1-877-748-2298.

Note to media: My office will not discuss the details of the investigation while it is ongoing.  My office will issue a public report once the investigation is complete.

Ronald J. Kruzeniski, Q.C.
Information and Privacy Commissioner of Saskatchewan

Media contact: Kim Mignon-Stark, Executive Assistant

Office of the Information and Privacy Commissioner of Saskatchewan
kmignon-stark@oipc.sk.ca 306-798-0173

503 – 1801 Hamilton Street, Regina SK S4P 4B4
Telephone: 306-787-8350 / Toll Free Telephone (within Saskatchewan): 1-877-748-2298
Email: webmaster@oipc.sk.ca / Twitter: @SaskIPC

Statement from IPC on eHealth Potential Privacy Breach

Was this page helpful?

Statement from Office of the Information and Privacy Commissioner of Saskatchewan on LifeLabs Privacy Breach

The office of the Commissioner is investigating a cyberattack affecting health care information of millions of customers in Canada and approximately 93,000 residents in Saskatchewan

 Thursday, December 19, 2019 – The Office of the Information and Privacy Commissioner of Saskatchewan (IPC) is undertaking an investigation into a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs. The office is working closely with the Information and Privacy Commissioner of British Columbia and the Information and Privacy Commissioner of Ontario who are also undertaking investigations.

LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services. The company has four core divisions – LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical, and Excelleris.

On December 13, 2019, LifeLabs reported a cyberattack on their computer systems to the IPC. On December 17, 2019, they confirmed they were the subject of an attack affecting the personal information of millions of customers, in Ontario, British Columbia and Saskatchewan. They told us that the affected systems contain information of approximately 15 million LifeLab customers across Canada, including name, address, email, customer logins and passwords, health card numbers, and lab tests.

The IPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it, and what, if any, measures LifeLabs could have taken to prevent and contain the breach. My office will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.

If you have visited a LifeLabs for a test or received a test/service from LifeLabs Genetics and Rocky Mountain Analytical, then it is likely your information is in LifeLabs database.

LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.

Alternatively, persons who have questions or wish to file a complaint can contact my office at 306-787-0488 or 1-877-748-2298.

Note to media: My office will not discuss the details of the investigation while it is ongoing. My office will issue a public report once the investigation is complete.

Ronald J. Kruzeniski
Information and Privacy Commissioner of Saskatchewan

Media contact:
Office of the Information and Privacy Commissioner of Saskatchewan
Kim Mignon-Stark
kmignon-stark@oipc.sk.ca 306-798-0173

Download PDF

Was this page helpful?

Canada’s access to information and privacy guardians urge governments to modernize legislation to better protect Canadians

Information and Privacy Ombudspersons and Commissioners from across Canada are urging their governments to modernize access to information and privacy laws.

In a joint resolution, Canada’s access to information and privacy guardians note that along with its many benefits, the rapid advancement of technologies has had an impact on fundamental democratic principles and human rights, including access to information and privacy. They further point out that Canadians have growing concerns about the use and exploitation of their personal information by both government and private businesses.

“Most Canadian access and privacy laws have not been fundamentally changed since their passage, some more than 35 years ago,” the resolution says. “They have sadly fallen behind the laws of many other countries in the level of privacy protection provided to citizens.”

While there have been legislative advances made in some Canadian jurisdictions, work is still required to ensure modern legislation is in place across the country in order to better protect Canadians.

The resolution notes that privacy and access to information are fundamental to self-determination, democracy and good government. It calls for:

  • a legislative framework to ensure the responsible development and use of artificial intelligence and machine learning technologies
  • all public and private sector entities engaged in handling personal information to be subject to privacy laws
  • Enforcement powers, such as legislating order-making powers and the power to impose penalties, fines or sanctions
  • the right of access should apply to all information held by public entities, regardless of format

Canada’s Information and Privacy Commissioners and Ombudspersons reaffirmed their commitment to collaborate, make recommendations to government, and to continue to study and make public how access and privacy laws impact all Canadians.

Related Documents

Joint statement – Modernizing Access and Privacy Laws

Was this page helpful?

Best practices when using USB drives

When thinking about this topic I decided to research how big of a USB drive I could actually purchase. I was surprised to see you can purchase one that stores 2 terabytes (TB) of data. Just think about that – something the size of a car key can 2 TB of data. With the ability to store that much data in a very small and portable way, it is important to be super vigilant when using memory sticks.

In January 2018, the IPC developed a resource – Helpful Tips: Mobile Device Security. This resource offers many tips and considerations that are helpful when using memory sticks, including administrative safeguards, technical safeguards and physical safeguards. However, here is a quick list of some things to keep in mind when using USB Drives:

  • Encryption/password protected devices: Only purchase USB drives that have encryption or password protection functionality.
  • Strong passwords: If you have a need to store personal information (pi), personal health information (phi) or other forms of sensitive or confidential information on a USB drive, be sure to have it locked by a strong password.
  • De-identify: When storing pi/phi on a USB, de-identify the information wherever possible.
  • Delete data: Immediately delete the data from the USB once it is no longer needed.
  • Unattended USBs: Do not leave USB’s in vehicles or unattended in public. If absolutely necessary, lock it in the trunk or glove box where it would be out of site. When not in use in your office, be sure to lock it up.
  • Access on a Need-to-Know Basis: When storing data on a device, access to that data should be on a need-to-know basis.
  • Lost or stolen USBs: Report lost or stolen USB’s immediately to your supervisor and the Privacy Officer.
  • Disposal: At the end of its lifecycle, be sure that all the data has been wiped from the USB. Once that is done, safely dispose of or destroy the USB before disposal.

For more applicable information on USB drive use, please see the following resources:

 

Was this page helpful?

Search Checklist

One government institution that we work with often has developed a search checklist “Responsive Records Search Log”, which has really assisted them and my office knowing that a thorough search was made. I asked permission and permission was given to take their search checklist and modify it so that it might be applicable to any government institution or local authority.

I encourage Access and Privacy coordinators to take a look at the sample search checklist and decide whether such a search checklist would help in ensuring thorough searches. Certainly, one should feel free to adapt the search checklist to the circumstances in one’s organization.

The search checklist could be distributed by the Access and Privacy coordinator to those that he or she has identified as part of his or her search strategy. Along with the search checklist, the Access and Privacy coordinator should give the recipient a timeline to complete the search and indicate whether he or she is only seeking a representative sample for building a fee estimate or a full search for responsive records.

I believe the search checklist is helpful when multiple employees in an organization have to do searches. I believe it assists the Access and Privacy coordinator in determining whether the organization has done a thorough search.

Please take a look at the sample search checklist on our website here. Of course if you have any suggests to improve this search checklist, please email my office.

Was this page helpful?

Technology and function creep

“I love technology,

But not as much as you, you see.

But I still love technology.

Always and forever.”

  • Kip from the movie Napoleon Dynamite

Technology takes on a central role in most, if not all, workplaces. It is difficult to imagine a workplace without computers. Further, cloud computing is enabling workplaces to organize themselves far more dynamically while completing tasks efficiently. With all of its benefits, we must be cognizant of technology’s impact upon employee privacy.

“Function creep” occurs when information is used for a purpose that is not the original specified purpose. For example, a workplace may install a security system that requires employees to sign-in or sign-out of the workplace. The purpose of the security system is to prevent unauthorized access to a particular workplace. However, organizations may end up using this information about individual employees to track employee attendance. This could be a privacy breach if the organization has not fulfilled the collections requirements in The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). For example, if the organization is collecting the information to track employee attendance without informing employees of the purpose for which the information is being collected pursuant to subsection 26(2) of FOIP or subsection 25(2) of LA FOIP, then this would be a privacy breach.

Function creep is often unintended. However, this is not an excuse for organizations to breach employee privacy. Below are some suggestions that organizations could undertake to avoid or stop function creep:

  • Have at least one employee designated as the privacy officer.
  • Have a process in place so that employees (or members of the public) can raise concerns and that those concerns are investigated.
  • Since function creep is often unintended, organizations who learn that technologies or processes that are committing function creep should be open to adjusting so that the function creep is discontinued.
  • Regularly undertake privacy impact assessments (PIA) so they can comprehensively analyze and evaluate how technology impacts privacy. A PIA is a process that should be undertaken not only by the privacy officer, but managers and employees implementing new technology, processes, projects, and/or programs. PIAs require teamwork!

For more information, check out my office’s resource called Technology’s Impact Upon Employee Privacy.

 

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.